How is CVE-2026-24719 exploited?

Network reachability (required): The vulnerable service is exposed over the network, so an attacker must be able to reach it remotely to attempt exploitation. Authentication (required): An administrator-level account is required; the attacker must first acquire or compromise a privileged credential before the injection is reachable. Victim interaction (not-required): No action from a legitimate user is needed; the attacker operates entirely without victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-24719?

A successful attacker executes arbitrary OS commands on the NAS with the privilege level of the service process. All data stored on the device is readable, exposing files, credentials, and configuration secrets. An attacker can modify or delete stored data, corrupting files and altering system configuration. The attacker can crash or suspend NAS services, making stored data and hosted applications unavailable.

Back to search

HIGHCVE-2026-24719Published 2026-06-10Modified 2026-06-11CNA qnap

CVE-2026-24719: QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 5.2.9.3492 build 20260507
Affected Products: 2

HarborGuard Analysis

Synopsis

A command injection vulnerability affects QNAP QTS and QuTS hero operating system versions prior to their respective fix builds. The flaw is reachable over the network but requires an attacker to first hold or obtain an administrator account; no victim interaction is needed. Successful exploitation lets an attacker run arbitrary operating system commands on the affected NAS device, giving full control over confidentiality, integrity, and availability. Patched-image rebuilds at QTS 5.2.9.3492 build 20260507 and QuTS hero h5.2.9.3499 build 20260514 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-24719 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that layer QNAP OS components.

Available

Triage

HarborGuard scores this finding at CVSS v4.0 8.6 (HIGH) and weights it against each environment's compliance policy, then routes the alert to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at QTS 5.2.9.3492 build 20260507 or QuTS hero h5.2.9.3499 build 20260514 becomes available on HarborGuard once the fix version is confirmed for an affected image. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service is exposed over the network, so an attacker must be able to reach it remotely to attempt exploitation.
AuthenticationRequired
An administrator-level account is required; the attacker must first acquire or compromise a privileged credential before the injection is reachable.
Victim interactionNot required
No action from a legitimate user is needed; the attacker operates entirely without victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker executes arbitrary OS commands on the NAS with the privilege level of the service process.
All data stored on the device is readable, exposing files, credentials, and configuration secrets.
An attacker can modify or delete stored data, corrupting files and altering system configuration.
The attacker can crash or suspend NAS services, making stored data and hosted applications unavailable.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-24719 is active against all scanned images the moment the advisory is ingested. For environments running a vulnerable QTS or QuTS hero version, a patched-image rebuild targeting QTS 5.2.9.3492 build 20260507 or QuTS hero h5.2.9.3499 build 20260514 is made available automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and affected-image inventory attached.

See how HarborGuard automates this

Fix available

5.2.9.3492 build 20260507h5.2.9.3499 build 20260514

Affected packages

QNAP Systems Inc. / QTS
< 5.2.9.3492 build 20260507 (from 5.2.0)
QNAP Systems Inc. / QuTS hero
< h5.2.9.3499 build 20260514 (from h5.2.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

qnap.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available